From 3fbea982617efca9b39a12724d7bad94ca8d849c Mon Sep 17 00:00:00 2001 From: "steven.y.gui" Date: Mon, 19 Feb 2024 16:22:48 +0800 Subject: [PATCH] add openeuler control rules --- controls/std_openeuler.yml | 1786 ++++++++++++++++- .../service_avahi-daemon_disabled/rule.yml | 2 +- .../file_groupowner_cron_d/rule.yml | 2 +- .../file_groupowner_cron_daily/rule.yml | 2 +- .../file_groupowner_cron_hourly/rule.yml | 2 +- .../file_groupowner_cron_monthly/rule.yml | 2 +- .../file_groupowner_cron_weekly/rule.yml | 2 +- .../file_groupowner_crontab/rule.yml | 2 +- .../cron_and_at/file_owner_cron_d/rule.yml | 2 +- .../file_owner_cron_daily/rule.yml | 2 +- .../file_owner_cron_hourly/rule.yml | 2 +- .../file_owner_cron_monthly/rule.yml | 2 +- .../file_owner_cron_weekly/rule.yml | 2 +- .../cron_and_at/file_owner_crontab/rule.yml | 2 +- .../file_permissions_cron_d/rule.yml | 2 +- .../file_permissions_cron_daily/rule.yml | 2 +- .../file_permissions_cron_hourly/rule.yml | 2 +- .../file_permissions_cron_monthly/rule.yml | 2 +- .../file_permissions_cron_weekly/rule.yml | 2 +- .../file_permissions_crontab/rule.yml | 2 +- .../file_at_deny_not_exist/rule.yml | 2 +- .../file_cron_deny_not_exist/rule.yml | 2 +- .../file_groupowner_at_allow/rule.yml | 2 +- .../file_groupowner_cron_allow/rule.yml | 2 +- .../file_owner_at_allow/rule.yml | 2 +- .../file_owner_cron_allow/rule.yml | 2 +- .../file_permissions_at_allow/rule.yml | 2 +- .../file_permissions_cron_allow/rule.yml | 2 +- .../service_crond_enabled/rule.yml | 2 +- .../service_dhcpd_disabled/rule.yml | 2 +- .../service_named_disabled/rule.yml | 2 +- .../package_httpd_removed/rule.yml | 2 +- .../package_openldap-clients_removed/rule.yml | 2 +- .../package_openldap-servers_removed/rule.yml | 2 +- .../service_rpcbind_disabled/rule.yml | 2 +- .../service_nfs_disabled/rule.yml | 2 +- .../rule.yml | 2 +- .../ntp/ntpd_configure_restrictions/rule.yml | 2 +- .../nis/package_ypbind_removed/rule.yml | 2 +- .../nis/package_ypserv_removed/rule.yml | 2 +- .../obsolete/service_rsyncd_disabled/rule.yml | 4 +- .../printing/package_cups_removed/rule.yml | 2 +- .../package_samba_removed/rule.yml | 2 +- .../package_net-snmp_removed/rule.yml | 2 +- .../sshd_use_strong_ciphers/rule.yml | 2 +- .../ssh_server/sshd_use_strong_kex/rule.yml | 2 +- .../ssh_server/sshd_use_strong_macs/rule.yml | 2 +- .../guide/services/ssh/sshd_strong_kex.var | 1 + .../rule.yml | 2 +- .../xwindows_remove_packages/rule.yml | 2 +- .../file_groupowner_etc_issue/rule.yml | 2 +- .../file_groupowner_etc_issue_net/rule.yml | 2 +- .../file_groupowner_etc_motd/rule.yml | 2 +- .../file_owner_etc_issue/rule.yml | 2 +- .../file_owner_etc_issue_net/rule.yml | 2 +- .../file_owner_etc_motd/rule.yml | 2 +- .../file_permissions_etc_issue/rule.yml | 2 +- .../file_permissions_etc_issue_net/rule.yml | 2 +- .../file_permissions_etc_motd/rule.yml | 2 +- .../accounts-banners/warning_banners/rule.yml | 24 + .../rule.yml | 2 +- .../oval/openeuler.xml | 291 +++ .../rule.yml | 2 +- .../oval/openeuler.xml | 285 +++ .../rule.yml | 2 +- ...nts_passwords_pam_faillock_unlock_time.var | 1 + .../accounts_password_pam_dcredit/rule.yml | 2 +- .../accounts_password_pam_dictcheck/rule.yml | 2 +- .../rule.yml | 2 +- .../accounts_password_pam_lcredit/rule.yml | 2 +- .../accounts_password_pam_minclass/rule.yml | 2 +- .../accounts_password_pam_minlen/rule.yml | 2 +- .../accounts_password_pam_ocredit/rule.yml | 2 +- .../accounts_password_pam_retry/rule.yml | 2 +- .../accounts_password_pam_ucredit/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../oval/shared.xml | 2 +- .../require_emergency_target_auth/rule.yml | 4 +- .../service_debug-shell_disabled/rule.yml | 2 +- .../account_temp_expire_date/rule.yml | 2 +- .../account_unique_id/rule.yml | 2 +- .../group_unique_id/rule.yml | 2 +- .../group_unique_name/rule.yml | 2 +- .../accounts_maximum_age_login_defs/rule.yml | 1 - .../accounts_minimum_age_login_defs/rule.yml | 1 - .../no_forward_files/rule.yml | 2 +- .../root_logins/use_pam_wheel_for_su/rule.yml | 2 +- .../accounts-session/accounts_tmout/rule.yml | 2 +- .../rule.yml | 2 +- .../accounts_umask_etc_bashrc/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../audit_rules_login_events_lastlog/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../audit_rules_sudoers/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../auditd_audispd_disk_full_action/rule.yml | 2 +- .../rule.yml | 2 +- .../auditd_data_retention_space_left/rule.yml | 2 +- .../auditing/grub2_audit_argument/rule.yml | 2 +- .../rule.yml | 2 +- .../non-uefi/grub2_password/rule.yml | 2 +- .../uefi/grub2_uefi_password/rule.yml | 2 +- .../rsyslog_cron_logging/rule.yml | 2 +- .../rsyslog_logging_configured/rule.yml | 2 +- .../rsyslog_remote_access_monitoring/rule.yml | 2 +- .../logging/rsyslog_filecreatemode/rule.yml | 2 +- .../service_firewalld_enabled/rule.yml | 2 +- .../set_firewalld_appropriate_zone/rule.yml | 2 +- .../rule.yml | 2 +- .../set_ipv6_loopback_traffic/rule.yml | 4 + .../set_loopback_traffic/rule.yml | 4 + .../set_iptables_default_rule/rule.yml | 4 + .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 5 +- .../rule.yml | 5 +- .../rule.yml | 5 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_net_ipv4_ip_forward/rule.yml | 2 +- .../rule.yml | 2 +- .../service_nftables_enabled/rule.yml | 2 +- .../set_nftables_loopback_traffic/rule.yml | 2 +- .../set_nftables_new_connections/rule.yml | 2 +- .../kernel_module_sctp_disabled/rule.yml | 2 +- .../wireless_disable_interfaces/rule.yml | 6 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../file_permissions_ungroupowned/rule.yml | 2 +- .../files/no_files_unowned_by_user/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_kernel_randomize_va_space/rule.yml | 3 + .../sysctl_kernel_dmesg_restrict/rule.yml | 2 +- .../restrictions/sysctl_kernel_sysrq/rule.yml | 2 +- .../sysctl_kernel_yama_ptrace_scope/rule.yml | 2 +- .../selinux_confinement_of_daemons/rule.yml | 2 +- .../selinux/selinux_policytype/rule.yml | 2 +- .../crypto/configure_crypto_policy/rule.yml | 2 +- .../aide/aide_build_database/rule.yml | 2 +- .../aide/package_aide_installed/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../ensure_gpgcheck_never_disabled/rule.yml | 2 +- products/openeuler2203/product.yml | 1 + products/openeuler2403/product.yml | 1 + shared/applicability/package.yml | 2 +- 195 files changed, 2599 insertions(+), 187 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml index 5599b04..eb66293 100644 --- a/controls/std_openeuler.yml +++ b/controls/std_openeuler.yml @@ -7,28 +7,1808 @@ levels: - id: base controls: + - id: 1.1.1_no_unowner_ungroup_files + title: Ensure All Files Have Owner And Group + levels: + - base + status: automated + rules: + - no_files_unowned_by_user + - no_files_unowned_by_user.severity=high + - file_permissions_ungroupowned + - file_permissions_ungroupowned.severity=high + + - id: 1.1.2_no_empty_symlink + title: Ensure No Empty Symlink + levels: + - base + status: planned + + - id: 1.1.3_no_hidden_exec_files + title: Ensure No Hidden Executable Files + levels: + - base + status: planned + + - id: 1.1.4_global_writable_dir_sticky_set + title: Ensure Sticky Set On Global Writable Folder + levels: + - base + status: automated + rules: + - dir_perms_world_writable_sticky_bits + - dir_perms_world_writable_sticky_bits.severity=high + + - id: 1.1.5_umask_set_correct + title: Ensure UMASK Correct + levels: + - base + status: automated + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_bashrc.severity=high + - var_accounts_user_umask=077 + + - id: 1.1.6_no_global_writable_file + title: Ensure No Global Writable File + levels: + - base + status: automated + rules: + - file_permissions_unauthorized_world_writable + - file_permissions_unauthorized_world_writable.severity=high + + - id: 1.1.7_umount_unnecessary_file_system + title: Umount Unnecessary File System + levels: + - base + status: planned + + - id: 1.1.8_mount_as_readonly + title: Ensure Mount As Readonly If No Need To Write + levels: + - base + status: planned + + - id: 1.1.9_mount_as_nodev + title: Ensure Mount As Nodev + levels: + - base + status: planned + + - id: 1.1.10_mount_as_noexec + title: Ensure Mount As Noexec + levels: + - base + status: planned + + - id: 1.1.11_mount_as_noexec_nodev_for_removable + title: Ensure Mount As Noexec And Nodev For Removable Device + levels: + - base + status: automated + rules: + - mount_option_noexec_removable_partitions + - mount_option_noexec_removable_partitions.severity=high + - mount_option_nodev_removable_partitions + - mount_option_nodev_removable_partitions.severity=high + + - id: 1.1.12_mount_as_nosuid + title: Ensure Mount As Nosuid + levels: + - base + status: planned + + - id: 1.1.13_remove_unnecessary_suid_sgid + title: Ensure Remove Unnecessary SUID And SGID + levels: + - base + status: automated + rules: + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_suid.severity=high + - file_permissions_unauthorized_sgid + - file_permissions_unauthorized_sgid.severity=high + + - id: 1.1.14_file_permission_minimize + title: Ensure File Permission Minimize + levels: + - base + status: planned + + - id: 1.1.15_ulimit_correctly + title: Ensure Ulinmit Correctly + levels: + - base + status: planned + + - id: 1.1.16_symlinks_hardlinks_protected + title: Ensure Symlinks And Hardlinks Protected + levels: + - base + status: automated + rules: + - sysctl_fs_protected_symlinks + - sysctl_fs_protected_symlinks.severity=high + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_hardlinks.severity=high + + - id: 1.1.17_usb_disabled + title: Ensure USB Disabled + levels: + - base + status: automated + rules: + - kernel_module_usb-storage_disabled + - kernel_module_usb-storage_disabled.severity=low + + - id: 1.1.18_partitions_management + title: Ensure Different Data Store In Different Partitions + levels: + - base + status: planned + + - id: 1.1.19_library_path_correct + title: Ensure LD_LIBRARY_PATH Correct + levels: + - base + status: planned + + - id: 1.1.20_user_path_correct + title: Ensure User PATH Correct + levels: + - base + status: planned + - id: 1.2.1_ftp_not_installed - title: Ensure FTP is not installed + title: Ensure FTP Not Installed levels: - base status: automated rules: - package_ftp_removed + - package_ftp_removed.severity=high - id: 1.2.2_tftp_server_not_installed - title: Ensure TFTP Server is not installed + title: Ensure TFTP Server Not Installed levels: - base status: automated rules: - package_tftp_removed + - package_tftp_removed.severity=high - package_tftp-server_removed + - package_tftp-server_removed.severity=high - id: 1.2.3_telnet_server_not_installed - title: Ensure Telnet Server is not installed + title: Ensure Telnet Server Not Installed levels: - base status: automated rules: - package_telnet_removed + - package_telnet_removed.severity=high - package_telnet-server_removed + - package_telnet-server_removed.severity=high + + - id: 1.2.4_snmp_not_installed + title: Ensure SNMP Not Installed + levels: + - base + status: automated + rules: + - package_net-snmp_removed + - package_net-snmp_removed.severity=high + + - id: 1.2.5_python2_not_installed + title: Ensure Python2 Not Installed + levels: + - base + status: planned + + - id: 1.2.6_gpg_check_configured + title: Ensure GPG Check Configured + levels: + - base + status: automated + rules: + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_globally_activated.severity=high + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_never_disabled.severity=high + + - id: 1.2.7_debug-shell_disabled + title: Ensure Debug-Shell Disabled + levels: + - base + status: automated + rules: + - service_debug-shell_disabled + - service_debug-shell_disabled.severity=high + + - id: 1.2.8_rsync_not_installed + title: Ensure Rsync Not Installed + levels: + - base + status: automated + rules: + - service_rsyncd_disabled + - service_rsyncd_disabled.severity=high + + - id: 1.2.9_avahi_not_installed + title: Ensure Avahi Not Installed + levels: + - base + status: automated + rules: + - service_avahi-daemon_disabled + - service_avahi-daemon_disabled.severity=high + + - id: 1.2.10_ldap_server_not_installed + title: Ensure LDAP Server Not Installed + levels: + - base + status: automated + rules: + - package_openldap-servers_removed + - package_openldap-servers_removed.severity=high + + - id: 1.2.11_cups_not_installed + title: Ensure CUPS Not Installed + levels: + - base + status: automated + rules: + - package_cups_removed + - package_cups_removed.severity=high + + - id: 1.2.12_nis_server_not_installed + title: Ensure NIS Server Not Installed + levels: + - base + status: automated + rules: + - package_ypserv_removed + - package_ypserv_removed.severity=high + + - id: 1.2.13_nis_client_not_installed + title: Ensure NIS Client Not Installed + levels: + - base + status: automated + rules: + - package_ypbind_removed + - package_ypbind_removed.severity=high + + - id: 1.2.14_ldap_client_not_installed + title: Ensure LDAP Client Not Installed + levels: + - base + status: automated + rules: + - package_openldap-clients_removed + - package_openldap-clients_removed.severity=high + + - id: 1.2.15_no_network_sniffing_software + title: Ensure Network Sniffing Software Removed + levels: + - base + status: planned + + - id: 1.2.16_no_debug_tools + title: Ensure Debug Tools Removed + levels: + - base + status: planned + + - id: 1.2.17_no_compiler_tools + title: Ensure Compiler Tools Removed + levels: + - base + status: planned + + - id: 1.2.18_xwindow_not_installed + title: Ensure X Window Not Installed + levels: + - base + status: automated + rules: + - xwindows_remove_packages + - xwindows_remove_packages.severity=low + + - id: 1.2.19_http_not_installed + title: Ensure Http Service Not Installed + levels: + - base + status: automated + rules: + - package_httpd_removed + - package_httpd_removed.severity=low + + - id: 1.2.20_samba_not_installed + title: Ensure Samba Service Not Installed + levels: + - base + status: automated + rules: + - package_samba_removed + - package_samba_removed.severity=low + + - id: 1.2.21_dns_disabled + title: Ensure DNS Service Disabled + levels: + - base + status: automated + rules: + - service_named_disabled + - service_named_disabled.severity=low + + - id: 1.2.22_nfs_disabled + title: Ensure NFS Service Disabled + levels: + - base + status: automated + rules: + - service_nfs_disabled + - service_nfs_disabled.severity=low + + - id: 1.2.23_rpc_disabled + title: Ensure RPC Service Disabled + levels: + - base + status: automated + rules: + - service_rpcbind_disabled + - service_rpcbind_disabled.severity=low + + - id: 1.2.24_DHCP_disabled + title: Ensure DHCP Service Disabled + levels: + - base + status: automated + rules: + - service_dhcpd_disabled + - service_dhcpd_disabled.severity=low + + + - id: 2.1.1_login_accounts_are_necessary + title: Ensure All Login Accounts Are Necessary + levels: + - base + status: planned + + - id: 2.1.2_no_unused_accounts + title: Ensure No Unused Accounts + levels: + - base + status: planned + + - id: 2.1.3_different_accounts_have_different_groupid + title: Ensure Different Accounts Have Different GroupID + levels: + - base + status: planned + + - id: 2.1.4_no_uid_0_except_root + title: Ensure Only Root's UID Is 0 + levels: + - base + status: automated + rules: + - accounts_no_uid_except_zero + - accounts_no_uid_except_zero.severity=high + + - id: 2.1.5_account_related_files_permission + title: Ensure Account Related Files Have Correct Permission + levels: + - base + status: automated + rules: + - file_owner_etc_passwd + - file_owner_etc_passwd.severity=high + - file_groupowner_etc_passwd + - file_groupowner_etc_passwd.severity=high + - file_owner_etc_shadow + - file_owner_etc_shadow.severity=high + - file_groupowner_etc_shadow + - file_groupowner_etc_shadow.severity=high + - file_owner_etc_group + - file_owner_etc_group.severity=high + - file_groupowner_etc_group + - file_groupowner_etc_group.severity=high + - file_owner_etc_gshadow + - file_owner_etc_gshadow.severity=high + - file_groupowner_etc_gshadow + - file_groupowner_etc_gshadow.severity=high + - file_owner_backup_etc_passwd + - file_owner_backup_etc_passwd.severity=high + - file_groupowner_backup_etc_passwd + - file_groupowner_backup_etc_passwd.severity=high + - file_owner_backup_etc_shadow + - file_owner_backup_etc_shadow.severity=high + - file_groupowner_backup_etc_shadow + - file_groupowner_backup_etc_shadow.severity=high + - file_owner_backup_etc_group + - file_owner_backup_etc_group.severity=high + - file_groupowner_backup_etc_group + - file_groupowner_backup_etc_group.severity=high + - file_owner_backup_etc_gshadow + - file_owner_backup_etc_gshadow.severity=high + - file_groupowner_backup_etc_gshadow + - file_groupowner_backup_etc_gshadow.severity=high + - file_permissions_etc_passwd + - file_permissions_etc_passwd.severity=high + - file_permissions_etc_shadow + - file_permissions_etc_shadow.severity=high + - file_permissions_etc_group + - file_permissions_etc_group.severity=high + - file_permissions_etc_gshadow + - file_permissions_etc_gshadow.severity=high + - file_permissions_backup_etc_passwd + - file_permissions_backup_etc_passwd.severity=high + - file_permissions_backup_etc_shadow + - file_permissions_backup_etc_shadow.severity=high + - file_permissions_backup_etc_group + - file_permissions_backup_etc_group.severity=high + - file_permissions_backup_etc_gshadow + - file_permissions_backup_etc_gshadow.severity=high + + - id: 2.1.6_account_has_home_dir + title: Ensure All Accounts Have Own Home Folder + levels: + - base + status: automated + rules: + - accounts_user_interactive_home_directory_exists + - accounts_user_interactive_home_directory_exists.severity=high + + - id: 2.1.7_all_groups_existed + title: Ensure All Groups Existed + levels: + - base + status: automated + rules: + - gid_passwd_group_same + - gid_passwd_group_same.severity=high + + - id: 2.1.8_unique_uid + title: Ensure UID Unique + levels: + - base + status: automated + rules: + - account_unique_id + - account_unique_id.severity=high + + - id: 2.1.9_account_unique_name + title: Ensure Account Name Unique + levels: + - base + status: automated + rules: + - account_unique_name + - account_unique_name.severity=high + + - id: 2.1.10_group_unique_id + title: Ensure Group Unique ID + levels: + - base + status: automated + rules: + - group_unique_id + - group_unique_id.severity=high + + - id: 2.1.11_group_unique_name + title: Ensure Group Unique Name + levels: + - base + status: automated + rules: + - group_unique_name + - group_unique_name.severity=high + + - id: 2.1.12_account_expire + title: Ensure Account Expire Date Correct + levels: + - base + status: manual + rules: + - account_temp_expire_date + - account_temp_expire_date.severity=low + + - id: 2.1.13_no_forward_in_home + title: Ensure No .forward Files In Home Folder + levels: + - base + status: automated + rules: + - no_forward_files + - no_forward_files.severity=low + + - id: 2.1.14_no_netrc_in_home + title: Ensure No .netrc Files In Home Folder + levels: + - base + status: automated + rules: + - no_netrc_files + - no_netrc_files.severity=low + + - id: 2.2.1_password_complexity_correct + title: Ensure Set Correct Password Complexity + levels: + - base + status: automated + rules: + - accounts_password_pam_minlen + - accounts_password_pam_minlen.severity=high + - var_password_pam_minlen=8 + - accounts_password_pam_minclass + - accounts_password_pam_minclass.severity=high + - var_password_pam_minclass=3 + - accounts_password_pam_retry + - accounts_password_pam_retry.severity=high + - var_password_pam_retry=3 + - accounts_password_pam_dcredit + - accounts_password_pam_dcredit.severity=high + - var_password_pam_dcredit=0 + - accounts_password_pam_ucredit + - accounts_password_pam_ucredit.severity=high + - var_password_pam_ucredit=0 + - accounts_password_pam_lcredit + - accounts_password_pam_lcredit.severity=high + - var_password_pam_lcredit=0 + - accounts_password_pam_ocredit + - accounts_password_pam_ocredit.severity=high + - var_password_pam_ocredit=0 + - accounts_password_pam_enforce_root + - accounts_password_pam_enforce_root.severity=high + + - id: 2.2.2_history_password_not_used + title: Ensure No History Password Used + levels: + - base + status: automated + rules: + - accounts_password_pam_unix_remember + - accounts_password_pam_unix_remember.severity=high + - var_password_pam_unix_remember=5 + + - id: 2.2.3_verify_old_password + title: Ensure Old Password Verified + levels: + - base + status: planned + + - id: 2.2.4_no_username_in_password + title: Ensure Password Not Contain User Name + levels: + - base + status: planned + + - id: 2.2.5_strong_hash_algorithm_for_password + title: Ensure Using Strong Hash Algorithm To Encipher Password + levels: + - base + status: automated + rules: + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_systemauth.severity=high + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_passwordauth.severity=high + + - id: 2.2.6_password_dictionary_correct + title: Ensure Password Dictionary Correct + levels: + - base + status: automated + rules: + - accounts_password_pam_dictcheck + - accounts_password_pam_dictcheck.severity=high + + - id: 2.2.7_password_expire_correct + title: Ensure Password Expire Correct + levels: + - base + status: automated + rules: + - accounts_maximum_age_login_defs + - accounts_maximum_age_login_defs.severity=high + - var_accounts_maximum_age_login_defs=90 + - accounts_password_warn_age_login_defs + - accounts_password_warn_age_login_defs.severity=high + - var_accounts_password_warn_age_login_defs=7 + - accounts_minimum_age_login_defs + - accounts_minimum_age_login_defs.severity=high + - var_accounts_minimum_age_login_defs=0 + + - id: 2.2.8_forbid_empty_password + title: Ensure No Empty Password + levels: + - base + status: automated + rules: + - sshd_disable_empty_passwords + - sshd_disable_empty_passwords.severity=high + + - id: 2.2.9_grub_password_set + title: Ensure Grub Password Set + levels: + - base + status: automated + rules: + - grub2_password + - grub2_password.severity=high + - grub2_uefi_password + - grub2_uefi_password.severity=high + + - id: 2.2.10_single_user_password_set + title: Ensure Password Set In Single User Mode + levels: + - base + status: automated + rules: + - require_emergency_target_auth + - require_emergency_target_auth.severity=high + + - id: 2.2.11_chpwd_at_first_login + title: Ensure Password Changed At First Login + levels: + - base + status: planned + + - id: 2.3.1_account_lock_after_accessing_fail + title: Ensure Account Locked After Accessing Fail + levels: + - base + status: automated + rules: + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny.severity=high + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_unlock_time + - accounts_passwords_pam_faillock_unlock_time.severity=high + - var_accounts_passwords_pam_faillock_unlock_time=300 + + - id: 2.3.2_session_timeout_set_correct + title: Ensure TIMOUT Set Correct + levels: + - base + status: automated + rules: + - accounts_tmout + - accounts_tmout.severity=high + - var_accounts_tmout=5_min + + - id: 2.3.3_banners_correct + title: Ensure Warning Banners Correct + levels: + - base + status: automated + rules: + - warning_banners + - warning_banners.severity=high + - file_groupowner_etc_issue + - file_groupowner_etc_issue.severity=high + - file_groupowner_etc_issue_net + - file_groupowner_etc_issue_net.severity=high + - file_groupowner_etc_motd + - file_groupowner_etc_motd.severity=high + - file_owner_etc_issue + - file_owner_etc_issue.severity=high + - file_owner_etc_issue_net + - file_owner_etc_issue_net.severity=high + - file_owner_etc_motd + - file_owner_etc_motd.severity=high + - file_permissions_etc_issue + - file_permissions_etc_issue.severity=high + - file_permissions_etc_issue_net + - file_permissions_etc_issue_net.severity=high + - file_permissions_etc_motd + - file_permissions_etc_motd.severity=high + + - id: 2.3.4_banners_path_correct + title: Ensure Warning Path Correct + levels: + - base + status: automated + rules: + - sshd_enable_warning_banner_net + - sshd_enable_warning_banner_net.severity=high + + - id: 2.4.1_histsize_limited + title: Ensure HISTSIZE Limited + levels: + - base + status: planned + + - id: 2.4.2_selinux_enforce + title: Ensure SELinux Enforce + levels: + - base + status: automated + rules: + - selinux_state + - selinux_state.severity=low + + - id: 2.4.3_selinux_config + title: Ensure SELinux Configurate Correct + levels: + - base + status: automated + rules: + - selinux_policytype + - selinux_policytype.severity=low + + - id: 2.4.4_su_usage_limited + title: Ensure SU Usage Limited + levels: + - base + status: automated + rules: + - use_pam_wheel_for_su + - use_pam_wheel_for_su.severity=high + + - id: 2.4.5_use_sudo_to_run + title: Ensure Use Sudo To Run + levels: + - base + status: automated + rules: + - sudo_restrict_privilege_elevation_to_authorized + - sudo_restrict_privilege_elevation_to_authorized.severity=high + + - id: 2.4.6_no_low-privilege_user_writable_files_with_sudo + title: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User + levels: + - base + status: planned + + - id: 2.4.7_cannot_use_pkexec_escalate + title: Ensure Low-privilege User Cannot Escalate By Pkexec + levels: + - base + status: planned + + - id: 2.4.8_always_set_path_config + title: Ensure ALWAYS_SET_PATH Configurated + levels: + - base + status: planned + + - id: 2.4.9_root_can_not_login_local + title: Ensure Root Can Not Login Local + levels: + - base + status: planned + + - id: 2.4.10_not_use_unconfined_service_t + title: Ensure Not Run Files wiht unconfined_service_t Flag + levels: + - base + status: automated + rules: + - selinux_confinement_of_daemons + - selinux_confinement_of_daemons.severity=low + + - id: 2.4.11_all_daemons_run_with_mini_permission + title: Ensure All Daemons Run With Minimum Permission + levels: + - base + status: planned + + - id: 2.5.1_ima_enabled + title: Ensure IMA Enabled + levels: + - base + status: planned + + - id: 2.5.2_aide_enabled + title: Ensure AIDE Enabled + levels: + - base + status: automated + rules: + - package_aide_installed + - package_aide_installed.severity=low + - aide_build_database + - aide_build_database.severity=low + + - id: 2.6.1_haveged_enabled + title: Ensure Haveged Enabled + levels: + - base + status: planned + + - id: 2.6.2_global_crypto_setting + title: Global Crypto Setting Correct + levels: + - base + status: automated + rules: + - configure_crypto_policy + - configure_crypto_policy.severity=low + + + - id: 3.1.1_unusual_network_service_not_used + title: Ensure No Unusual Network Service + levels: + - base + status: automated + rules: + - kernel_module_sctp_disabled + - kernel_module_sctp_disabled.severity=low + - kernel_module_tipc_disabled + - kernel_module_tipc_disabled.severity=low + + - id: 3.1.2_wireless_disabled + title: Ensure No WIFI + levels: + - base + status: automated + rules: + - wireless_disable_interfaces + - wireless_disable_interfaces.severity=low + + - id: 3.2.1_firewalld_enabled + title: Ensure Firewalld Enabled + levels: + - base + status: automated + rules: + - service_firewalld_enabled + - service_firewalld_enabled.severity=low + + - id: 3.2.2_firewalld_default_zone_correct + title: Ensure Firewalld Set Default Zone Correctly + levels: + - base + status: planned + + - id: 3.2.3_firewalld_interface_set_to_correct_zone + title: Ensure Firewalld Set Correct Interface Zone + levels: + - base + status: manual + rules: + - set_firewalld_appropriate_zone + - set_firewalld_appropriate_zone.severity=low + + - id: 3.2.4_firewalld_disable_unnecessary_service_and_port + title: Ensure Unnecessary Service And Port Disabled + levels: + - base + status: manual + rules: + - unnecessary_firewalld_services_ports_disabled + - unnecessary_firewalld_services_ports_disabled.severity=low + + - id: 3.2.5_iptables_enabled + title: Ensure Iptables Enabled + levels: + - base + status: automated + rules: + - service_iptables_enabled + - service_iptables_enabled.severity=low + - service_ip6tables_enabled + - service_ip6tables_enabled.severity=low + + - id: 3.2.6_iptables_default_refuse_rules + title: Ensure Iptables Default Refuse Rules Set + levels: + - base + status: manual + rules: + - set_iptables_default_rule + - set_iptables_default_rule.severity=low + + - id: 3.2.7_iptables_loopback_rules + title: Ensure Iptables Loopback Rules Set + levels: + - base + status: automated + rules: + - set_loopback_traffic + - set_loopback_traffic.severity=low + - set_ipv6_loopback_traffic + - set_ipv6_loopback_traffic.severity=low + + - id: 3.2.8_iptables_input_rules + title: Ensure Iptables Input Rules Set + levels: + - base + status: planned + + - id: 3.2.9_iptables_output_rules + title: Ensure Iptables Output Rules Set + levels: + - base + status: planned + + - id: 3.2.10_iptables_input_output_connection_rules + title: Ensure Iptables Input Output Connection Rules Set + levels: + - base + status: manual + rules: + - set_iptables_outbound_n_established + - set_iptables_outbound_n_established.severity=low + + - id: 3.2.11_nftables_enabled + title: Ensure Nftables Enabled + levels: + - base + status: automated + rules: + - service_nftables_enabled + - service_nftables_enabled.severity=low + + - id: 3.2.12_nftables_default_refuse_rules + title: Ensure Nftables Default Refuse Rules Set + levels: + - base + status: manual + rules: + - nftables_ensure_default_deny_policy + - nftables_ensure_default_deny_policy.severity=low + + - id: 3.2.13_nftables_loopback_rules + title: Ensure Nftables Loopback Rules Set + levels: + - base + status: manual + rules: + - set_nftables_loopback_traffic + - set_nftables_loopback_traffic.severity=low + + - id: 3.2.14_nftables_input_rules + title: Ensure Nftables Input Rules Set + levels: + - base + status: planned + + - id: 3.2.15_nftables_output_rules + title: Ensure Nftables Output Rules Set + levels: + - base + status: planned + + - id: 3.2.16_nftables_input_output_connection_rules + title: Ensure Nftables Input Output Connection Rules Set + levels: + - base + status: manual + rules: + - set_nftables_new_connections + - set_nftables_new_connections.severity=low + + - id: 3.3.1_sshd_protocol_is_2 + title: Ensure SSHd Protocol Version Is 2 + levels: + - base + status: automated + rules: + - sshd_allow_only_protocol2 + - sshd_allow_only_protocol2.severity=high + + - id: 3.3.2_sshd_authentication_setting_correct + title: Ensure SSHd Authentication Setting Correct + levels: + - base + status: automated + rules: + - sshd_disable_rhosts + - sshd_disable_rhosts.severity=high + - disable_host_auth + - disable_host_auth.severity=high + + - id: 3.3.3_sshd_keyexchange_correct + title: Ensure SSHd Key Exchange Algorithm Correct + levels: + - base + status: automated + rules: + - sshd_use_strong_kex + - sshd_use_strong_kex.severity=high + - sshd_strong_kex=std_openeuler + + - id: 3.3.4_sshd_pubkey_correct + title: Ensure SSHd Pubkey Algorithm Correct + levels: + - base + status: planned + + - id: 3.3.5_sshd_pam_enabled + title: Ensure SSHd PAM Enabled + levels: + - base + status: automated + rules: + - sshd_enable_pam + - sshd_enable_pam.severity=high + + - id: 3.3.6_sshd_mac_correct + title: Ensure SSHd MACs Algorithm Correct + levels: + - base + status: automated + rules: + - sshd_use_strong_macs + - sshd_use_strong_macs.severity=high + + - id: 3.3.7_sshd_ciphers_correct + title: Ensure SSHd Ciphers Algorithm Correct + levels: + - base + status: automated + rules: + - sshd_use_strong_ciphers + - sshd_use_strong_ciphers.severity=high + + - id: 3.3.8_sshd_ciphers_not_overwritten + title: Ensure SSHd Ciphers Algorithm Not Overwritten + levels: + - base + status: planned + + - id: 3.3.9_sshd_forbid_root_login + title: Ensure SSHd Forbid Root Login From Remote + levels: + - base + status: automated + rules: + - sshd_disable_root_login + - sshd_disable_root_login.severity=low + + - id: 3.3.10_sshd_log_level_correct + title: Ensure SSHd Log Level Correct + levels: + - base + status: automated + rules: + - sshd_set_loglevel_verbose + - sshd_set_loglevel_verbose.severity=low + + - id: 3.3.11_sshd_listen_addr + title: Ensure SSHd Listen Address Set Correct + levels: + - base + status: planned + + - id: 3.3.12_sshd_maxstartups_correct + title: Ensure SSHd MaxStartups Correct + levels: + - base + status: automated + rules: + - sshd_set_maxstartups + - sshd_set_maxstartups.severity=low + - var_sshd_set_maxstartups=10:30:60 + + - id: 3.3.13_sshd_maxsessions_correct + title: Ensure SSHd Maxsessions Correct + levels: + - base + status: automated + rules: + - sshd_set_max_sessions + - sshd_set_max_sessions.severity=low + - var_sshd_max_sessions=10 + + - id: 3.3.14_sshd_forbid_x11_forwarding + title: Ensure SSHd X11 Forwarding Forbidden + levels: + - base + status: automated + rules: + - sshd_disable_x11_forwarding + - sshd_disable_x11_forwarding.severity=high + + - id: 3.3.15_sshd_maxauthtries_correct + title: Ensure SSHd MaxAuthTries Correct + levels: + - base + status: automated + rules: + - sshd_set_max_auth_tries + - sshd_set_max_auth_tries.severity=low + - sshd_max_auth_tries_value=3 + + - id: 3.3.16_sshd_forbid_permituserenvironment + title: Ensure SSHd PermitUserEnvironment Forbidden + levels: + - base + status: automated + rules: + - sshd_do_not_permit_user_env + - sshd_do_not_permit_user_env.severity=high + + - id: 3.3.17_sshd_logingracetime_correct + title: Ensure SSHd LoginGraceTime Correct + levels: + - base + status: automated + rules: + - sshd_set_login_grace_time + - sshd_set_login_grace_time.severity=low + - var_sshd_set_login_grace_time=60 + + - id: 3.3.18_sshd_authorized_keys_forbidden + title: Ensure SSHd Authorized Keys Not Set + levels: + - base + status: planned + + - id: 3.3.19_sshd_known_hosts_forbidden + title: Ensure SSHd Known Hosts Not Set + levels: + - base + status: automated + rules: + - sshd_disable_user_known_hosts + - sshd_disable_user_known_hosts.severity=high + + - id: 3.3.20_sshd_no_obsolete_config + title: Ensure SSHd Has No Obsolete Configurations + levels: + - base + status: planned + + - id: 3.3.21_ssh_tcp_forward_disabled + title: Ensure SSHd TCP Forward Disabled + levels: + - base + status: automated + rules: + - sshd_disable_tcp_forwarding + - sshd_disable_tcp_forwarding.severity=high + + - id: 3.4.1_crontab_not_run_low_privilege_user_writable_bash + title: Ensure Cron Not Run Low Privilege User Writable Bash + levels: + - base + status: planned + + - id: 3.4.2_cron_enabled + title: Ensure Cron Deamon Running + levels: + - base + status: automated + rules: + - service_crond_enabled + - service_crond_enabled.severity=high + + - id: 3.4.3_at_cron_set_correct + title: Ensure AT And Cron Set Correct + levels: + - base + status: automated + rules: + - file_groupowner_cron_d + - file_groupowner_cron_d.severity=high + - file_groupowner_cron_daily + - file_groupowner_cron_daily.severity=high + - file_groupowner_cron_hourly + - file_groupowner_cron_hourly.severity=high + - file_groupowner_cron_monthly + - file_groupowner_cron_monthly.severity=high + - file_groupowner_cron_weekly + - file_groupowner_cron_weekly.severity=high + - file_groupowner_crontab + - file_groupowner_crontab.severity=high + - file_owner_cron_d + - file_owner_cron_d.severity=high + - file_owner_cron_daily + - file_owner_cron_daily.severity=high + - file_owner_cron_hourly + - file_owner_cron_hourly.severity=high + - file_owner_cron_monthly + - file_owner_cron_monthly.severity=high + - file_owner_cron_weekly + - file_owner_cron_weekly.severity=high + - file_owner_crontab + - file_owner_crontab.severity=high + - file_permissions_cron_d + - file_permissions_cron_d.severity=high + - file_permissions_cron_daily + - file_permissions_cron_daily.severity=high + - file_permissions_cron_hourly + - file_permissions_cron_hourly.severity=high + - file_permissions_cron_monthly + - file_permissions_cron_monthly.severity=high + - file_permissions_cron_weekly + - file_permissions_cron_weekly.severity=high + - file_permissions_crontab + - file_permissions_crontab.severity=high + - file_at_deny_not_exist + - file_at_deny_not_exist.severity=high + - file_cron_deny_not_exist + - file_cron_deny_not_exist.severity=high + - file_groupowner_at_allow + - file_groupowner_at_allow.severity=high + - file_groupowner_cron_allow + - file_groupowner_cron_allow.severity=high + - file_owner_at_allow + - file_owner_at_allow.severity=high + - file_owner_cron_allow + - file_owner_cron_allow.severity=high + - file_permissions_at_allow + - file_permissions_at_allow.severity=high + - file_permissions_cron_allow + - file_permissions_cron_allow.severity=high + + - id: 3.5.1_kaslr_enabled + title: Ensure KASLR Enabled + levels: + - base + status: automated + rules: + - sysctl_kernel_randomize_va_space + - sysctl_kernel_randomize_va_space.severity=high + + - id: 3.5.2_dmesg_access_permission_correct + title: Ensure Dmesg Access Permission Correct + levels: + - base + status: automated + rules: + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_dmesg_restrict.severity=high + + - id: 3.5.3_kptr_restrict_correct + title: Ensure Kptr_restrict Correct + levels: + - base + status: automated + rules: + - sysctl_kernel_kptr_restrict + - sysctl_kernel_kptr_restrict.severity=high + - sysctl_kernel_kptr_restrict_value=1 + + - id: 3.5.4_smap_enabled + title: Ensure Kernel SMAP Enabled + levels: + - base + status: automated + rules: + - grub2_nosmap_argument_absent + - grub2_nosmap_argument_absent.severity=high + + - id: 3.5.5_smep_enabled + title: Ensure Kernel SMEP Enabled + levels: + - base + status: automated + rules: + - grub2_nosmep_argument_absent + - grub2_nosmep_argument_absent.severity=high + + - id: 3.5.6_not_response_icmp_broadcast + title: Ensure ICMP Broadcast Package Not Responsed + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high + + - id: 3.5.7_not_receive_icmp_redirect + title: Ensure ICMP Redirect Package Not Received + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects.severity=high + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects.severity=high + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects.severity=high + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects.severity=high + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + + - id: 3.5.8_forbid_forward_icmp_redirect_package + title: Ensure No ICMP Redirect Package Forwarded + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_all_send_redirects.severity=high + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects.severity=high + + - id: 3.5.9_ignore_all_icmp_request + title: Ensure Ignore All ICMP Request + levels: + - base + status: planned + + - id: 3.5.10_ignore_bogus_error_icmp_package + title: Ensure Ignore Bogus Error ICMP Package + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + + - id: 3.5.11_rp_filter_enabled + title: Ensure Reverse Proxy Filter Enabled + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter.severity=high + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter.severity=high + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + + - id: 3.5.12_forbid_ip_forwarding + title: Ensure IP Forwarding Disabled + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv4_ip_forward.severity=high + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding.severity=high + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + + - id: 3.5.13_source_route_disabled + title: Ensure Source Route Disabled + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route.severity=high + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route.severity=high + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route.severity=high + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route.severity=high + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + + - id: 3.5.14_tcp-syn_cookie_enabled + title: Ensure TCP-SYN Cookie Enabled + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies.severity=high + + - id: 3.5.15_log_martians + title: Ensure Source Route And Redirectly Logged + levels: + - base + status: automated + rules: + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians.severity=high + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians.severity=high + + - id: 3.5.16_tcp_timestamps_disabled + title: Ensure tcp_timestamps Disabled + levels: + - base + status: planned + + - id: 3.5.17_tcp_time_wait_config + title: Ensure TCP Time Wait Correct + levels: + - base + status: planned + + - id: 3.5.18_syn_recv_set_correct + title: Ensure SYN Recv Set Correct + levels: + - base + status: planned + + - id: 3.5.19_arp_proxy_disabled + title: Ensure No ARP Proxy + levels: + - base + status: planned + + - id: 3.5.20_core_dump_set_correct + title: Ensure Core Dump Set Correct + levels: + - base + status: planned + + - id: 3.5.21_sysrq_disabled + title: Ensure SysRq Key Disabled + levels: + - base + status: automated + rules: + - sysctl_kernel_sysrq + - sysctl_kernel_sysrq.severity=high + + - id: 3.5.22_ptrace_scope_correct + title: Ensure ptrace_scope Set Correct + levels: + - base + status: automated + rules: + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_yama_ptrace_scope.severity=low + + - id: 3.5.23_seccomp_enabled + title: Ensure Seccomp Enabled + levels: + - base + status: automated + rules: + - kernel_config_seccomp + - kernel_config_seccomp.severity=low + + - id: 3.6.1_ntpd_configuration_correct + title: Ensure Ntpd Configuration Correct + levels: + - base + status: automated + rules: + - service_ntpd_enabled + - service_ntpd_enabled.severity=low + - ntpd_configure_restrictions + - ntpd_configure_restrictions.severity=low + - ntpd_specify_remote_server + - ntpd_specify_remote_server.severity=low + + - id: 3.6.2_chrony_configuration_correct + title: Ensure Chrony Configuration Correct + levels: + - base + status: automated + rules: + - service_chronyd_enabled + - service_chronyd_enabled.severity=low + - chronyd_specify_remote_server + - chronyd_specify_remote_server.severity=low + + + - id: 4.1.1_auditd_enabled + title: Ensure Auditd Enabled + levels: + - base + status: automated + rules: + - service_auditd_enabled + - service_auditd_enabled.severity=high + + - id: 4.1.2_auditd_rotate_enabled + title: Ensure Auditd Rotate Enabled + levels: + - base + status: automated + rules: + - auditd_data_retention_max_log_file_action + - auditd_data_retention_max_log_file_action.severity=high + - var_auditd_max_log_file_action=rotate + - auditd_data_retention_num_logs + - auditd_data_retention_num_logs.severity=high + - var_auditd_num_logs=5 + + - id: 4.1.3_lastlog_config + title: Ensure Lastlog Recorded + levels: + - base + status: automated + rules: + - audit_rules_login_events_lastlog + - audit_rules_login_events_lastlog.severity=low + + - id: 4.1.4_audit_account_change + title: Ensure Account Info Changing Audited + levels: + - base + status: automated + rules: + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_group.severity=low + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_gshadow.severity=low + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_opasswd.severity=low + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_passwd.severity=low + - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_shadow.severity=low + + - id: 4.1.5_audit_escalation + title: Ensure Escalation Audited + levels: + - base + status: planned + + - id: 4.1.6_audit_module + title: Ensure Module Changes Audited + levels: + - base + status: automated + rules: + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_modprobe.severity=low + - audit_rules_privileged_commands_insmod + - audit_rules_privileged_commands_insmod.severity=low + - audit_rules_privileged_commands_rmmod + - audit_rules_privileged_commands_rmmod.severity=low + - audit_rules_kernel_module_loading + - audit_rules_kernel_module_loading.severity=low + + - id: 4.1.7_audit_sudo + title: Ensure Sudo Operation Audited + levels: + - base + status: automated + rules: + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudo.severity=low + + - id: 4.1.8_enable_audit_during_boot + title: Ensure Auditd Enabled During Boot + levels: + - base + status: automated + rules: + - grub2_audit_argument + - grub2_audit_argument.severity=low + + - id: 4.1.9_audit_backlog_limit_correct + title: Ensure Audit Backlog Limit Correct + levels: + - base + status: automated + rules: + - grub2_audit_backlog_limit_argument + - grub2_audit_backlog_limit_argument.severity=low + + - id: 4.1.10_audit_not_use_auditctl + title: Ensure Auditctl Not Used + levels: + - base + status: automated + rules: + - audit_rules_immutable + - audit_rules_immutable.severity=low + + - id: 4.1.11_audit_logsize_correct + title: Ensure Audit Log Size Set Correct + levels: + - base + status: automated + rules: + - auditd_data_retention_max_log_file + - auditd_data_retention_max_log_file.severity=high + - auditd_data_retention_max_log_file_action + - auditd_data_retention_max_log_file_action.severity=high + + - id: 4.1.12_audit_disk_space_config + title: Ensure Audit Disk Space Set Correct + levels: + - base + status: automated + rules: + - auditd_data_retention_space_left + - auditd_data_retention_space_left.severity=low + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_action.severity=low + - var_auditd_space_left_action=syslog + - auditd_data_retention_admin_space_left_percentage + - auditd_data_retention_admin_space_left_percentage.severity=low + - var_auditd_admin_space_left_percentage=50pc + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_admin_space_left_action.severity=low + - var_auditd_admin_space_left_action=suspend + - auditd_audispd_disk_full_action + - auditd_audispd_disk_full_action.severity=low + - auditd_data_disk_full_action + - auditd_data_disk_full_action.severity=low + - var_auditd_disk_full_action=suspend + - auditd_data_disk_error_action + - auditd_data_disk_error_action.severity=low + - var_auditd_disk_error_action=suspend + + - id: 4.1.13_audit_sudoers + title: Ensure Sudoers Audited + levels: + - base + status: automated + rules: + - audit_rules_sudoers + - audit_rules_sudoers.severity=low + + - id: 4.1.14_audit_session + title: Ensure Session Audited + levels: + - base + status: automated + rules: + - audit_rules_session_events + - audit_rules_session_events.severity=low + + - id: 4.1.15_audit_time_changing + title: Ensure Time Changing Audited + levels: + - base + status: automated + rules: + - audit_rules_time_adjtimex + - audit_rules_time_adjtimex.severity=low + - audit_rules_time_settimeofday + - audit_rules_time_settimeofday.severity=low + - audit_rules_time_clock_settime + - audit_rules_time_clock_settime.severity=low + + - id: 4.1.16_audit_selinux + title: Ensure SELinux Audited + levels: + - base + status: automated + rules: + - audit_rules_mac_modification + - audit_rules_mac_modification.severity=low + - audit_rules_mac_modification_usr_share + - audit_rules_mac_modification_usr_share.severity=low + + - id: 4.1.17_audit_network + title: Ensure Network Audited + levels: + - base + status: automated + rules: + - audit_rules_networkconfig_modification + - audit_rules_networkconfig_modification.severity=low + + - id: 4.1.18_audit_successful_file_access + title: Ensure Successful File Access Audited + levels: + - base + status: manual + rules: + - audit_rules_successful_file_modification_chmod + - audit_rules_successful_file_modification_chmod.severity=low + - audit_rules_successful_file_modification_fchmod + - audit_rules_successful_file_modification_fchmod.severity=low + - audit_rules_successful_file_modification_fchmodat + - audit_rules_successful_file_modification_fchmodat.severity=low + - audit_rules_successful_file_modification_chown + - audit_rules_successful_file_modification_chown.severity=low + - audit_rules_successful_file_modification_fchown + - audit_rules_successful_file_modification_fchown.severity=low + - audit_rules_successful_file_modification_fchownat + - audit_rules_successful_file_modification_fchownat.severity=low + - audit_rules_successful_file_modification_setxattr + - audit_rules_successful_file_modification_setxattr.severity=low + - audit_rules_successful_file_modification_lsetxattr + - audit_rules_successful_file_modification_lsetxattr.severity=low + - audit_rules_successful_file_modification_fsetxattr + - audit_rules_successful_file_modification_fsetxattr.severity=low + - audit_rules_successful_file_modification_removexattr + - audit_rules_successful_file_modification_removexattr.severity=low + - audit_rules_successful_file_modification_lremovexattr + - audit_rules_successful_file_modification_lremovexattr.severity=low + - audit_rules_successful_file_modification_fremovexattr + - audit_rules_successful_file_modification_fremovexattr.severity=low + + - id: 4.1.19_audit_unsuccessful_file_access + title: Ensure Unsuccessful File Access Audited + levels: + - base + status: automated + rules: + - audit_rules_unsuccessful_file_modification + - audit_rules_unsuccessful_file_modification.severity=low + + - id: 4.1.20_audit_file_delete + title: Ensure File Delete Audited + levels: + - base + status: manual + rules: + - audit_rules_successful_file_modification_rename + - audit_rules_successful_file_modification_rename.severity=low + - audit_rules_successful_file_modification_renameat + - audit_rules_successful_file_modification_renameat.severity=low + - audit_rules_successful_file_modification_unlink + - audit_rules_successful_file_modification_unlink.severity=low + - audit_rules_successful_file_modification_unlinkat + - audit_rules_successful_file_modification_unlinkat.severity=low + + - id: 4.1.21_audit_mount + title: Ensure Mount Audited + levels: + - base + status: planned + + - id: 4.2.1_rsyslog_enabled + title: Ensure Rsyslog Enabled + levels: + - base + status: automated + rules: + - service_rsyslog_enabled + - service_rsyslog_enabled.severity=high + + - id: 4.2.2_rsyslog_auth + title: Ensure Authentication Logged + levels: + - base + status: automated + rules: + - rsyslog_remote_access_monitoring + - rsyslog_remote_access_monitoring.severity=high + + - id: 4.2.3_rsyslog_cron + title: Ensure Cron Logged + levels: + - base + status: automated + rules: + - rsyslog_cron_logging + - rsyslog_cron_logging.severity=high + + - id: 4.2.4_rsyslog_file_permission + title: Ensure Rsyslog's Files Permission Correct + levels: + - base + status: automated + rules: + - rsyslog_filecreatemode + - rsyslog_filecreatemode.severity=low + + - id: 4.2.5_rsyslog_for_services + title: Ensure Important Services Logged + levels: + - base + status: automated + rules: + - rsyslog_logging_configured + - rsyslog_logging_configured.severity=low + + - id: 4.2.6_rsyslog_journald_transfer + title: Ensure Journald Transfer Set Correct + levels: + - base + status: planned + + - id: 4.2.7_rsyslog_rotate + title: Ensure Rotate Setting In Rsyslog + levels: + - base + status: planned + + - id: 4.2.8_rsyslog_remote_server_config + title: Ensure Remote Log Server Correct + levels: + - base + status: planned + + - id: 4.2.9_rsyslog_only_specified_server_receive_logs + title: Ensure Only Specified Server Can Receive Logs + levels: + - base + status: automated + rules: + - rsyslog_accept_remote_messages_tcp + - rsyslog_accept_remote_messages_tcp.severity=low + - rsyslog_accept_remote_messages_udp + - rsyslog_accept_remote_messages_udp.severity=low diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml index 2b0e53a..e799bae 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Avahi Server Software' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml index 4ce4b1e..e63cf34 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml index 032b15e..226d9c8 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml index 2d4f1f9..9065a84 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml index d47730c..35a16a3 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml index c63c3de..7eadb97 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml index 3f43b81..6e39d76 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns Crontab' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml index 49b2e3a..1cc18db 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml index 74210b6..0a448d8 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml index 9e4ab04..f9130b7 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml index 78dadcc..05ace52 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml index 69001b6..51f3d9b 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml index 2636571..e5e1357 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on crontab' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml index 8d5e6dd..4dcd062 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml index 175ba80..f2a3301 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml index 7578b5d..48b5bcc 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml index 4694a91..3da1b9e 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml index 5409311..b382c42 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml index 009a233..777a0f1 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on crontab' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml index 81e089f..18a9520 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 title: 'Ensure that /etc/at.deny does not exist' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml index a164bf3..9eed643 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 title: 'Ensure that /etc/cron.deny does not exist' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml index c060951..c0821cd 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml index a62e314..1fb33f6 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml index dafb8d4..20b64ab 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify User Who Owns /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml index 4e59001..0eae2e6 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify User Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml index aaa429e..30b6553 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml index c2710c4..1961b9a 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml index ec390e3..3a3c6d1 100644 --- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Enable cron Service' diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml index 356f236..b8324bf 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disable DHCP Service' diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml index ce858b1..1387845 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disable named Service' diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml index 044177b..07543b0 100644 --- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall httpd Package' diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml index 2ec31a2..6644f7d 100644 --- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml @@ -8,7 +8,7 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Ensure LDAP client is not installed' diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml index bf75fff..828d36d 100644 --- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml @@ -11,7 +11,7 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Uninstall openldap-servers Package' diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml index 9071b7e..fd41721 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disable rpcbind Service' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml index 91f73ab..8cdd594 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disable Network File System (nfs)' diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml index c74221c..6a2919f 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4 +prodtype: alinux2,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhv4 title: 'Specify a Remote NTP Server' diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml index de51899..e4a62cb 100644 --- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml +++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,rhel7,sle12,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,ubuntu2004,ubuntu2204 title: 'Configure server restrictions for ntpd' diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index c5f90c4..5f79ef7 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Remove NIS Client' diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index b057fc5..359340e 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Uninstall ypserv Package' diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml index de1f832..1653ad3 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Ensure rsyncd service is disabled' @@ -47,3 +47,5 @@ template: packagename@ol7: rsync packagename@sle12: rsync packagename@sle15: rsync + packagename@openeuler2203: rsync + packagename@openeuler2403: rsync diff --git a/linux_os/guide/services/printing/package_cups_removed/rule.yml b/linux_os/guide/services/printing/package_cups_removed/rule.yml index df44086..e6e13cf 100644 --- a/linux_os/guide/services/printing/package_cups_removed/rule.yml +++ b/linux_os/guide/services/printing/package_cups_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall CUPS Package' diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml index 1b633c6..2b8ef03 100644 --- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall Samba Package' diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml index 3763480..aaf1c94 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian11,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: debian10,debian11,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall net-snmp Package' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml index 91e0556..3e32b5e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,rhel7,sle12,sle15,ubuntu2204 +prodtype: ol7,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2204 title: 'Use Only Strong Ciphers' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml index 0a0b3a9..a928355 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Use Only Strong Key Exchange algorithms' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml index b6fea18..c9e4f13 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,rhel7,sle12,sle15,ubuntu2204 +prodtype: ol7,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2204 title: 'Use Only Strong MACs' diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var index 9becb4b..c0519e2 100644 --- a/linux_os/guide/services/ssh/sshd_strong_kex.var +++ b/linux_os/guide/services/ssh/sshd_strong_kex.var @@ -17,3 +17,4 @@ options: cis_sle12: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 cis_sle15: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 cis_ubuntu2004: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 + std_openeuler: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index 170f89f..5af9d26 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Remove the X Windows Package Group' diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml index 607ed94..eb84592 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: alinux2,alinux3,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disable graphical user interface' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml index 5e6d02f..ce9a463 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Ownership of System Login Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml index 76b10f4..be54b97 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue_net/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Ownership of System Login Banner for Remote Connections' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml index 2e796ee..90ef7e1 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Ownership of Message of the Day Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml index 70b4f39..0f8b6e1 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify ownership of System Login Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml index cff8e39..8efa940 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue_net/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify ownership of System Login Banner for Remote Connections' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml index 16011b1..954946b 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify ownership of Message of the Day Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml index 9968c5c..a7b4364 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify permissions on System Login Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml index cb8d9db..02b69cb 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue_net/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify permissions on System Login Banner for Remote Connections' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml index 339274b..0038c14 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify permissions on Message of the Day Banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml new file mode 100644 index 0000000..548b47b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/warning_banners/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: openeuler2203,openeuler2403 + +title: 'Check Warning Banners Correctly' + +description: |- +

It can not be scanned automatically, please check it manually.

+ Warning banners contain warning information added on the system login page and are marked by all users who log in to the system. +
+ Proper security warning information may increase the risk of system attacks or violate local laws and regulations. +
+ openEuler security warning banners must be formulated by security department personnel and comply with local laws and regulations. +
+ In addition, don't expose the system version, application server type, functions through warning banners, to prevent attackers from obtaining system information and launching attacks. +
+ Run the cat command to check the warning banners in the /etc/motd, /etc/issue, and /etc/issue.net files. Check whether the information is reasonable. + +rationale: |- + None + +severity: high + +platform: machine diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml index f3e6931..2118833 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Limit Password Reuse' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml new file mode 100644 index 0000000..0abb80d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml @@ -0,0 +1,291 @@ + + + {{{ oval_metadata("Lockout account after failed login attempts") }}} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*auth\N+pam_unix\.so + + + + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail + + + + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so + + + + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) + + + + ^[\s]*deny[\s]*=[\s]*([0-9]+) + + + + + ^/etc/pam.d/system-auth$ + + + 1 + + + + + + + + + ^/etc/pam.d/password-auth$ + + 1 + + + + + + + + + ^/etc/pam.d/system-auth$ + + 1 + + + + + + + + ^/etc/pam.d/system-auth$ + + 1 + + + + + + + + + ^/etc/pam.d/password-auth$ + + 1 + + + + + + + + ^/etc/pam.d/password-auth$ + + 1 + + + + + + + + + + + + + + + + 0 + + + + + ^/etc/pam.d/system-auth$ + + 1 + + + + + + + + + + + + + + + ^/etc/pam.d/password-auth$ + + 1 + + + + + + + + + + + + + + + ^/etc/security/faillock.conf$ + + 1 + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index 3f7bbd8..d1d77f0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2204 title: 'Lock Accounts After Failed Password Attempts' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml new file mode 100644 index 0000000..94c1eca --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml @@ -0,0 +1,285 @@ + + + {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*auth\N+pam_unix\.so + + + + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail + + + + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so + + + + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) + + + + ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) + + + + + ^/etc/pam.d/system-auth$ + + + 1 + + + + + + + + + ^/etc/pam.d/password-auth$ + + 1 + + + + + + + + + ^/etc/pam.d/system-auth$ + + 1 + + + + + + + + ^/etc/pam.d/system-auth$ + + 1 + + + + + + + + + ^/etc/pam.d/password-auth$ + + 1 + + + + + + + + ^/etc/pam.d/password-auth$ + + 1 + + + + + + + + + + + + + + + + + ^/etc/pam.d/system-auth$ + + 1 + + + + + + + + + + + + + + ^/etc/pam.d/password-auth$ + + 1 + + + + + + + + + + + + + + ^/etc/security/faillock.conf$ + + 1 + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml index 7157b51..6022dcd 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2204 title: 'Set Lockout Time for Failed Password Attempts' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var index 46c73e4..206b03e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var @@ -17,5 +17,6 @@ options: 604800: 604800 86400: 86400 900: 900 + 300: 300 default: 0 never: 0 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml index e67cd88..5843fd2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Digit Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml index d41ca6c..6ec6fba 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004 +prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9,ubuntu2004 title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml index 198475c..15f4617 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol9,rhel8,rhel9 +prodtype: fedora,ol9,openeuler2203,openeuler2403,rhel8,rhel9 title: 'Ensure PAM Enforces Password Requirements - Enforce for root User' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml index 5799a7b..4de04a1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml index 45a8dfa..d0c33ab 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml index f05b6e0..6a9b551 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Length' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml index 632aa24..89fd371 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Special Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml index df2272b..c3052a0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml index 6c631ea..5b4041c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204 title: 'Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml index bf87c9c..786e396 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: "Set PAM''s Password Hashing Algorithm - password-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml index 5375365..803ad40 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: "Set PAM''s Password Hashing Algorithm" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml index fadfa30..7cc8b57 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml @@ -36,7 +36,7 @@ /usr/lib/systemd/system/emergency.service - {{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} + {{%- if product in ["fedora", "ol8", "ol9", "openeuler2203", "openeuler2403", "rhel8", "rhel9", "sle12", "sle15"] -%}} ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency {{%- else -%}} ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index e3b3c18..53bea43 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Require Authentication for Emergency Systemd Target' @@ -86,7 +86,7 @@ fixtext: |- Configure {{{ full_name }}} to require authentication for system emergency mode. Add or edit the following line in "/usr/lib/systemd/system/emergency.service": - {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} + {{% if product in ["fedora", "ol8", "ol9", "openeuler2203", "openeuler2403", "rhel8", "rhel9", "sle12", "sle15"] -%}} ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency {{%- else -%}} ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml index f232eb7..7f9c4dc 100644 --- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 title: 'Disable debug-shell SystemD Service' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml index d4b7117..0493d9e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 title: 'Assign Expiration Date to Temporary Accounts' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml index 3cda626..aca9ef5 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure All Accounts on the System Have Unique User IDs' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml index aa5a69c..0cb8d6e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure All Groups on the System Have Unique Group ID' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml index 55b2c5e..e1da489 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,openeuler2203,openeuler2403,rhel7,rhel8,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure All Groups on the System Have Unique Group Names' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index 3591fba..41489ff 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -84,4 +84,3 @@ srg_requirement: |- {{{ full_name }}} user account passwords for new users or password changes must have a 60 day maximum password lifetime restriction in /etc/login.defs. platform: package[shadow-utils] - diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml index 3cbb4d9..7eaac40 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml @@ -84,4 +84,3 @@ srg_requirement: |- {{{ full_name }}} passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs. platform: package[shadow-utils] - diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml index c101f11..fc64d11 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 +prodtype: alinux2,alinux3,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 title: 'Verify No .forward Files Exist' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml index d0ed1f4..3f33979 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Enforce usage of pam_wheel for su authentication' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml index a660109..1b6a66f 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set Interactive Session Timeout' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index e58fb7d..a4f4432 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive Users Home Directories Must Exist' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 1795fac..1148bf9 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure the Default Bash Umask is Set Correctly' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml index d3b0186..1dbd420 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle15 title: 'Record Successful Permission Changes to Files - chmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml index 241d1d6..7996a8f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Ownership Changes to Files - chown' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml index ce7070e..c62a171 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Permission Changes to Files - fchmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml index 4b6cee0..c839def 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Permission Changes to Files - fchmodat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml index 6bc0b95..f4eb579 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Ownership Changes to Files - fchown' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml index e882a57..545979e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Ownership Changes to Files - fchownat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml index ee4ff3a..090ecb1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Permission Changes to Files - fremovexattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml index d40bfde..be1e1fa 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Permission Changes to Files - fsetxattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml index 90873b1..d313b57 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Ownership Changes to Files - lchown' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml index acbfbc0..b424556 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Permission Changes to Files - lremovexattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml index b669f75..c72f4ad 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Permission Changes to Files - lsetxattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml index 7d7e3eb..14ed330 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Permission Changes to Files - removexattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml index 82d103e..5f29767 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Delete Attempts to Files - rename' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml index 1736c97..44bf9e0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Delete Attempts to Files - renameat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml index 75809f4..b167733 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Permission Changes to Files - setxattr' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml index 91e8f67..cb411e5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Delete Attempts to Files - unlink' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml index a11b195..86bab31 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlinkat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Record Successful Delete Attempts to Files - unlinkat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml index fe9f1d9..cc33a91 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index 1b476f4..b873f49 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - creat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 398110d..50b9592 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - ftruncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 8893d52..083feb4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - open' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index cb615dc..cb62dd9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 1126705..aad0d0f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - openat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 2884c9d..8f68d62 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - truncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml index 90a7173..368747c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index f8ab574..47b8db1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index d63a995..7c0230d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index a1d7d2c..dc25542 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index 34e160a..006e96e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Attempts to Alter Logon and Logout Events - lastlog' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index 1086361..0b0e0bc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - insmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index 19e74ab..b4d6fb5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - modprobe' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index bb5b567..8849eb0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,openeuler2203,openeuler2403,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - rmmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index 3d76a1a..e8da204 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml index 628dc4f..6a1e04e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol8,ol9,rhel8,rhel9 +prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9 title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index 46128d8..b2d42c5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Events that Modify User/Group Information - /etc/group' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 5cfe91d..f502455 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Events that Modify User/Group Information - /etc/gshadow' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index d58af4c..c35d421 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index d67693e..cf91038 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Events that Modify User/Group Information - /etc/passwd' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index 68a975a..b5e3762 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Events that Modify User/Group Information - /etc/shadow' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml index 8ccde19..10032fa 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Configure audispd''s Plugin disk_full_action When Disk Is Full' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml index 01c5df5..91c9cb9 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_percentage/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol8,ol9,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 +prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 title: 'Configure auditd admin_space_left on Low Disk Space' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index d9b97fb..a8fe5c7 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: ol7,ol8,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Configure auditd space_left on Low Disk Space' diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml index e81a90b..1b9abe0 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml index 65132d8..6e3aeb6 100644 --- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Extend Audit Backlog Limit for the Audit Daemon' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index 9acb58b..21f343b 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set Boot Loader Password in grub2' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index 18d5b92..d749483 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set the UEFI Boot Loader Password' diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml index 8a7b722..6755b6a 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4 title: 'Ensure cron Is Logging To Rsyslog' diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml index 76f0e4b..47aeef5 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9,sle12,sle15 +prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 title: 'Ensure logging is configured' diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml index bea5ed4..1588359 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004,ubuntu2204 +prodtype: fedora,ol8,ol9,openeuler2203,openeuler2403,rhel8,rhel9,ubuntu2004,ubuntu2204 title: 'Ensure remote access methods are monitored in Rsyslog' diff --git a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml index f37af58..b79c97c 100644 --- a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 +prodtype: openeuler2203,openeuler2403,rhel7,rhel8,rhel9,ubuntu2004,ubuntu2204 title: 'Ensure rsyslog Default File Permissions Configured' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml index cd22594..18b3db5 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Verify firewalld Enabled' diff --git a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml index ae73778..6a5355a 100644 --- a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,sle15 +prodtype: rhel7,rhel8,openeuler2203,openeuler2403,sle15 title: 'Ensure network interfaces are assigned to appropriate zone' diff --git a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml index 05f7144..1f93b40 100644 --- a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle15 +prodtype: openeuler2203,openeuler2403,sle15 title: 'Ensure Unnecessary Services and Ports Are Not Accepted' diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml index 73e27ed..9b9db6f 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml @@ -16,7 +16,11 @@ rationale: |- severity: medium +{{% if product in ['openeuler2203','openeuler2403'] %}} +platform: machine +{{% else %}} platform: not package[nftables] and not package[ufw] +{{% endif %}} identifiers: cce@sle12: CCE-92215-3 diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml index 6ab31a4..ef09802 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml @@ -16,7 +16,11 @@ rationale: |- severity: medium +{{% if product in ['openeuler2203','openeuler2403'] %}} +platform: machine +{{% else %}} platform: not package[nftables] and not package[ufw] +{{% endif %}} identifiers: cce@sle12: CCE-92214-6 diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml index c7ea1c0..100a1ec 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/rule.yml @@ -18,7 +18,11 @@ rationale: |- severity: medium +{{% if product in ['openeuler2203','openeuler2403'] %}} +platform: machine +{{% else %}} platform: not package[nftables] and not package[ufw] +{{% endif %}} identifiers: cce@rhel7: CCE-86719-2 diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml index 88b1b36..34663ba 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15 +prodtype: openeuler2203,openeuler2403,sle12,sle15 title: 'Ensure Outbound and Established Connections are Configured' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index 9a69794..f05d2c9 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index c1f0dc4..10100f3 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' @@ -69,3 +69,6 @@ template: vars: sysctlvar: net.ipv6.conf.all.accept_source_route datatype: int +{{% if "openeuler" in product %}} + missing_parameter_pass: 'true' +{{% endif %}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index c02cdc4..d155c12 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for IPv6 Forwarding' @@ -63,3 +63,6 @@ template: vars: sysctlvar: net.ipv6.conf.all.forwarding datatype: int +{{% if "openeuler" in product %}} + missing_parameter_pass: 'true' +{{% endif %}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index e985040..2a54324 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' @@ -68,3 +68,6 @@ template: vars: sysctlvar: net.ipv6.conf.default.accept_source_route datatype: int +{{% if "openeuler" in product %}} + missing_parameter_pass: 'true' +{{% endif %}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 8756e21..efd7d4a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 2ccc278..af51919 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml index dfcd0b6..0de28f3 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml index e3b2b18..95bf511 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml index 849ae47..a0aa7cf 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index 9a54bbc..d7dcd8a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml index 9ff43ba..7e7e254 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml index b688a15..ac4ed33 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml index 90ef90f..c41f654 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml index 5b12a1b..bccfe90 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml index a5fb5f4..1b1b6a0 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml index 31e76dd..274288f 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index e6b948b..ab99ff1 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index fc30851..f73277a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index a485053..1c6493e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml index 7d989f7..f9f161a 100644 --- a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml +++ b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle15,ubuntu2004,ubuntu2204 +prodtype: openeuler2203,openeuler2403,sle15,ubuntu2004,ubuntu2204 title: 'Ensure nftables Default Deny Firewall Policy' diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml index 5be921e..56204f9 100644 --- a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml +++ b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,sle15,ubuntu2004,ubuntu2204 +prodtype: openeuler2203,openeuler2403,rhel7,rhel8,sle15,ubuntu2004,ubuntu2204 title: 'Verify nftables Service is Enabled' diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml index 043c11b..6f9d562 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle15,ubuntu2004,ubuntu2204 +prodtype: openeuler2203,openeuler2403,sle15,ubuntu2004,ubuntu2204 title: 'Set nftables Configuration for Loopback Traffic' diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml index ae1a369..5adafb8 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml +++ b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle15 +prodtype: openeuler2203,openeuler2403,sle15 title: 'Ensure all outbound and established connections are configured for nftables' diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index 20eeb3e..f03402b 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable SCTP Support' diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index 02cb56f..17157d4 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Deactivate Wireless Network Interfaces' @@ -117,4 +117,8 @@ fixtext: |- srg_requirement: '{{{ full_name }}} wireless network adapters must be disabled.' +{{% if product in ['openeuler2203','openeuler2403'] %}} +platform: machine +{{% else %}} platform: wifi-iface +{{% endif %}} diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index 5683f30..a85c072 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Ensure All SGID Executables Are Authorized' -prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 +prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,uos20 description: |- The SGID (set group id) bit should be set only on files that were diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index 249f971..58dc69a 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Ensure All SUID Executables Are Authorized' -prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 +prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15,uos20 description: |- The SUID (set user id) bit should be set only on files that were diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index 11060d0..936873d 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure All Files Are Owned by a Group' diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index 13650fc..f9af42a 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure All Files Are Owned by a User' diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index 8cbcf66..ed7412f 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Modprobe Loading of USB Storage Driver' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml index d06852d..327c297 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 title: 'Add nodev Option to Removable Media Partitions' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml index 75934b9..d47a355 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804 title: 'Add noexec Option to Removable Media Partitions' diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml index ed025e4..024eceb 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml @@ -60,6 +60,9 @@ template: sysctlvar: kernel.randomize_va_space sysctlval: '2' datatype: int +{{% if "openeuler" in product %}} + missing_parameter_pass: 'true' +{{% endif %}} fixtext: |- Configure {{{ full_name }}} to implement virtual address space randomization. diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index b73d219..e122550 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Restrict Access to Kernel Message Buffer' diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml index bf2e143..4df4480 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disallow magic SysRq key' diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index e03106c..7e5b67a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 title: 'Restrict usage of ptrace to descendant processes' diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml index 00cc2ff..8b5667b 100644 --- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 title: 'Ensure No Daemons are Unconfined by SELinux' diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index a49219e..d9abd2d 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Configure SELinux Policy' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml index e3b95bc..cb37065 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 +prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 title: 'Configure System Cryptography Policy' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml index 43e5f16..9f1d220 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Build and Test AIDE Database' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index a361171..ea14229 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Install AIDE' diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index b90f566..5fc764b 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'The operating system must restrict privilege elevation to authorized personnel' -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15 description: |- The sudo command allows a user to execute programs with elevated diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml index 18c6f48..26b59e9 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration' diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml index 6428781..8e059b0 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Ensure gpgcheck Enabled for All {{{ pkg_manager }}} Package Repositories' diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml index 89e9f8b..5beaac5 100644 --- a/products/openeuler2203/product.yml +++ b/products/openeuler2203/product.yml @@ -8,6 +8,7 @@ benchmark_root: "../../linux_os/guide" profiles_root: "./profiles" pkg_manager: "dnf" +pkg_manager_config_file: "/etc/yum.conf" init_system: "systemd" diff --git a/products/openeuler2403/product.yml b/products/openeuler2403/product.yml index c27aaa8..36f3833 100644 --- a/products/openeuler2403/product.yml +++ b/products/openeuler2403/product.yml @@ -8,6 +8,7 @@ benchmark_root: "../../linux_os/guide" profiles_root: "./profiles" pkg_manager: "dnf" +pkg_manager_config_file: "/etc/yum.conf" init_system: "systemd" diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml index 07f3df9..6c8ad28 100644 --- a/shared/applicability/package.yml +++ b/shared/applicability/package.yml @@ -49,7 +49,7 @@ args: pkgname: postfix shadow-utils: {{% if pkg_system == "rpm" %}} - {{% if product in ["sle12", "sle15"] %}} + {{% if product in ["openeuler2203", "openeuler2403", "sle12", "sle15"] %}} pkgname: shadow {{% else %}} pkgname: shadow-utils -- 2.21.0.windows.1